Whole Foods Investigates Payment Card Breach

Whole Foods Market has disclosed a point of sale (PoS) breach, where hackers were able to access payment card information for plastic used at the taprooms and full table-service restaurants located within some stores.

To be clear, the issue doesn’t affect the grocery shopping check-out systems at stores.

“These venues use a different point of sale system than the company’s primary store checkout systems, and payment cards used at the primary store checkout systems were not affected,” the company said in a statement. “When Whole Foods Market learned of this, the company launched an investigation, obtained the help of a leading cyber security forensics firm, contacted law enforcement, and is taking appropriate measures to address the issue.”

No word yet on how many locations or cards are affected, but John Suit, CTO at Trivalent, said via email that attacks like this could be prevented with a better security posture.

“The recent Whole Foods breach demonstrates the importance of rigorous transaction data protection technology to combat the growing sophistication of point of sale system attacks,” he said. “To get ahead of these risks, retailers and businesses must understand that traditional encryption is no longer enough. Next generation data protection solutions are immediately needed to ensure protection of personally identifiable information such as credit card details. These solutions secure data at the file-level, keeping it safe from unauthorized users—even in the event of a breach.”

The high-end organic food chain deserves kudos for its network segmentation, however—famously, it was a lack of this that led to the massive size of the Target breach.

“Companies face threats every day and breaches will occur. In a contested environment like this, segmenting the networks, like Whole Foods did with its unique restaurant and taproom environment, saves other parts of the business from also being breached,” said Michael Daly, CTO for the Raytheon cybersecurity business, via email. “Financial systems within the larger Whole Foods system were not affected. The climate and operations controls were not compromised protecting massive amounts of food and inventory. Whether the segmented approach was happenstance or not, there is a lesson to be taken from today’s breach.”